From 05dfccbbc7d734f51be7183a7e08ce02e583bb62 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 8 Jul 2024 02:32:09 +0100 Subject: [PATCH] Introduce OpenVPN TLS Key generation and inlining for TLS-AUTH/CRYPT Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 101 +++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 90 insertions(+), 11 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 5cb2e7c4..7d558e71 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -38,7 +38,7 @@ A list of commands is shown below: build-client-full [ cmd-opts ] build-server-full [ cmd-opts ] build-serverClient-full [ cmd-opts ] - inline + inline [ ] revoke [ cmd-opts ] expire revoke-expired [ cmd-opts ] @@ -56,6 +56,7 @@ A list of commands is shown below: export-p8 [ cmd-opts ] export-p12 [ cmd-opts ] set-pass [ cmd-opts ] + gen-tls-auth-key / gen-tls-crypt-key write [ cmd-opts ]" # collect/show dir status: @@ -202,12 +203,12 @@ Usage: easyrsa [ OPTIONS.. ] [ cmd-opts.. ]" ;; inline) text=" -* inline +* inline [ ] - Print inline data for , with key and CA. + Print inline data for to stdout." - * NOTE: To create an inline-file the output must be redirected. - If the output is incomplete then an error is returned." + opts=" + * - Write inline data to " ;; revoke*) text=" @@ -510,6 +511,17 @@ These commands require easyrsa-tools.lib to be installed: show-expire (Optional) show-revoke (Optional) show-renew (Optional)" + ;; + gen-tls*) + text_only=1 + text=" +Generate TLS keys for OpenVPN use: + + gen-tls-auth-key : Generate OpenVPN TLS-AUTH key + gen-tls-crypt-key : Generate OpenVPN TLS-CRYPT key (Preferred) + +Only one TLS key is allowed to exist. (pki/private/easyrsa-tls.key) +This TLS key will be automatically added to inline files." ;; opts|options) opt_usage @@ -2101,7 +2113,7 @@ SHA256 fingerprint (See inline file below): * $crt_fingerprint" # inline key/cert/fingerprint - if inline_creds "$file_name_base" > "$inline_out"; then + if inline_creds "$file_name_base" "$inline_out"; then notice "\ Inline file created: * $inline_out" @@ -2918,7 +2930,7 @@ See error messages above for details." verbose "build_full: END sign_req" # inline it - if inline_creds "$name" > "$inline_out"; then + if inline_creds "$name" "$inline_out"; then notice "\ Inline file created: * $inline_out" @@ -2935,10 +2947,23 @@ INCOMPLETE Inline file created: inline_creds() { [ "$1" ] || die "inline_creds - Missing file_name_base" + if [ "$2" ]; then + [ -f "$2" ] && user_error "Cannot overwrite existing file!" + out_tmp_file="$2" + output_to_stdout= + else + inline_tmp= + easyrsa_mktemp inline_tmp || \ + die "inline_creds - easyrsa_mktemp inline_tmp" + out_tmp_file="$inline_tmp" + output_to_stdout=1 + fi + # Source files crt_source="${EASYRSA_PKI}/issued/${1}.crt" key_source="${EASYRSA_PKI}/private/${1}.key" ca_source="$EASYRSA_PKI/ca.crt" + tls_source="${EASYRSA_PKI}"/private/easyrsa-tls.key incomplete=0 # Generate data @@ -2973,7 +2998,7 @@ inline_creds() { selfsign_details="\ # SELF-SIGNED # SHA256 fingerprint: -# $crt_fingerprint" +# ${crt_fingerprint}${NL}" fi # Certificate @@ -3023,18 +3048,52 @@ $(cat "$ca_source") fi fi + # TLS auth|crypt key + if [ -f "$tls_source" ]; then + tls_key_data="$(cat "$tls_source")" + case "$tls_key_data" in + *'TLS-AUTH'*) + inline_label=tls-auth + ;; + *'TLS-CRYPT'*) + inline_label=tls-crypt + ;; + *) + inline_label= + esac + + if [ "$inline_label" ]; then + tls_data="\ +<${inline_label}> +${tls_key_data} +" + else + incomplete=1 + tls_data="# Easy-RSA TLS Key not recognised!" + fi + else + incomplete=1 + tls_data="# Easy-RSA TLS Key not found!" + fi + # Print data print "\ -# Easy-RSA Type: $type_data +# Easy-RSA inline-file for use with OpenVPN +# Type: $type_data # Name: $1 $selfsign_details - $crt_data $key_data $ca_data -" + +$tls_data +" > "$out_tmp_file" || die "inline_creds - write FAILED" + + # Output to stdout + [ "$output_to_stdout" ] && cat "$out_tmp_file" + # If inline file is incomplete then return error return "$incomplete" } # => inline_creds() @@ -5939,6 +5998,26 @@ case "$cmd" in die "Unknown command: '$cmd'" esac ;; + gen-tls-*) + verify_working_env + + # easyrsa-tools.lib is required + easyrsa_source_tools_lib + + case "$cmd" in + gen-tls-auth|gen-tls-auth-*) + tls_key_gen tls-auth "$@" + ;; + gen-tls-crypt|gen-tls-crypt-*) + tls_key_gen tls-crypt "$@" + ;; + gen-tls-cryptv2|gen-tls-cryptv2-*) + tls_key_gen tls-crypt-v2 "$@" + ;; + *) + die "Command '$cmd' not currently implemented." + esac + ;; verify|verify-cert) verify_working_env # Called with --batch, this will return error